APRA has written to the organisations it supervises reminding them of the prudential and risk issues associated with using cloud computing services.

APRA has pointed out the potential risk for:

• a financial institution’s ability to continue operations and meet core obligations, following a loss of cloud computing services;
• confidentiality and integrity of sensitive (e.g. customer) data/information; and
• compliance with legislative and prudential requirements.

APRA says: “In APRA’s view, both materiality and risk assessments necessitate a detailed understanding of the extent and nature of the business processes (including those pertaining to decision-making and support), the technology architecture and the sensitive information (customer or other) impacted by the outsourcing arrangement. APRA has observed that, to date, assessments of cloud computing proposals typically lack sufficient consideration of these factors.”

APRA also expressed concern if material services were obtained from offshore without sufficient analysis.

Cloud computing has become attractive for non-critical functions because it does not lock in users to proprietary technology and standards and reduces high capital costs.